-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-55
Multiple vulnerabilities in libelf PV kernel handling
NOTE REGARDING LACK OF EMBARGO
==============================
Due to a human error this issue was prematurely publicly disclosed to
the xen-devel mailing list. Therefore this advisory is being published
immediately.
The Xen.org security apologizes for this error and will review its
procedures to avoid it in the future.
STATUS OF THE FIX
=================
Due to the unintended early release of these patches they have not
received as much review or testing as we would have liked.
Due to the method used to fix the issue we have reasonable confidence
that the security vulnerability is addressed by these patches however
there is a risk of regressions when loading kernels which are in fact
OK, i.e. treating valid kernels as malicious.
We have not yet been assigned a CVE number for this issue.
ISSUE DESCRIPTION
=================
The ELF parser used by the Xen tools to read domains' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.
IMPACT
======
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).
Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.
VULNERABLE SYSTEMS
==================
All Xen versions are affected.
Installations which only allow the use of trustworthy kernels for PV
domains are not affected.
MITIGATION
==========
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.
RESOLUTION
==========
Applying the appropriate attached patch series is intended to resolve
this issue.
xsa55-4.1/*.patch Xen 4.1.x
xsa55-4.2/*.patch Xen 4.2.x
xsa55-unstable/*.patch xen-unstable
$ sha256sum xsa55-*/**.patch
0806c7fd33e659d1b7f5a8fa6ee0a295b45c77bcc2feeb9ffcb94b02d847ac02
xsa55-4.1/0001-libelf-abolish-libelf-relocate.c.patch
965a511d6d8c37616d10381ae6df70c3dd5872898b121f67f0963cec1025d875
xsa55-4.1/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
6e745ca2e2c209bc65926a48ed868d061af842036dbe8e1a9193c9d8a045e77d
xsa55-4.1/0003-libelf-abolish-elf_sval-and-elf_access_signed.patch
d5da28d86626e0de39d21fce374fb72ad1cec4223429041a43b75921c9702961
xsa55-4.1/0004-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
2423669ed389c532c05d8813b3f678cff314251af18f7fc56960eca3708b9c22
xsa55-4.1/0005-libelf-introduce-macros-for-memory-access-and-pointe.patch
0a021f4e6aa646aee47786cd63d2514a27d543115e8c1820baacc27b4afe3c28
xsa55-4.1/0006-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
87cd22f2479c125b6997bf6efc449179790f39e5951d4853d93b8836c3b47287
xsa55-4.1/0007-libelf-check-nul-terminated-strings-properly.patch
17c16ec73fcf4166777c692ba0e1733d046f5fe6f747e81689f7b4915ee3e1e7
xsa55-4.1/0008-libelf-check-all-pointer-accesses.patch
6501bb4f208a0ca0fbd7f1e2c38d55f01a992d0f3ad2cf190a104749818e7ae0
xsa55-4.1/0009-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
012467b3bea8553a8556daae6bceab15f934306f7067bc20033d5313a3804048
xsa55-4.1/0010-libelf-Make-all-callers-call-elf_check_broken.patch
5e7d223b5386b9a8e15999700008e1db9cab011e672eed08a973447d806fb57c
xsa55-4.1/0011-libelf-use-C99-bool-for-booleans.patch
35bff8abd08343257ee623b5e280e96065e2a6618bb448e2ab8254242d485cb3
xsa55-4.1/0012-libelf-use-only-unsigned-integers.patch
3db711c397541c5841a8a2da3446144474ff1040cd3813ce2c31ebebf603537d
xsa55-4.1/0013-libelf-check-loops-for-running-away.patch
9d27078f976d9e21c862feaef4603b319774ccaec78ef1dc4c92eab6cb2fa847
xsa55-4.1/0014-libelf-abolish-obsolete-macros.patch
7f9d868985dd851e7f00ab76b443698d911216579d7e18bfa46e0fa04b416404
xsa55-4.2/0001-libelf-abolish-libelf-relocate.c.patch
f10c538555c79d6093af1a36ac1239078c64b4045f0b74c965cdbc0473e60d42
xsa55-4.2/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
23f3f9d5c52f6a2a76050ad8db2e0e21001e6b520b36d5d5d4df174e4e6fc9a5
xsa55-4.2/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
b246052c87f2eb4b094ea8b20bfb87b1d6a5a89496d4d23e087cb9bc03b0e01a
xsa55-4.2/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
ae07b29d2fdb47c54841d16fd7f5e057b8858c14a7404b3c1ffffc8f43f8fe06
xsa55-4.2/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
bb437d324f641face7fd6f48ddba381c5dcb043c8231b3115432ba53d297f372
xsa55-4.2/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
f7ca43339d1f0c6354478cfaa3393cd8509878a062b6d3c9a69b746239c23019
xsa55-4.2/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
736b968fe21596b1ede2817f9255f88002cc0e4489a39a382675cae8f2b3f161
xsa55-4.2/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
98bde2b49b040e6e085a3c1e99ba18926a5ba0682f32b7aed711eb07fa199143
xsa55-4.2/0009-libelf-check-nul-terminated-strings-properly.patch
f69614e3c2cbb5a6e80dc4f4a7b374f5d543456f378679917fff083442b1d76d
xsa55-4.2/0010-libelf-check-all-pointer-accesses.patch
8bc58423705fbf546aa1ec56d44b7d41b2f777531bd5fab3ae8feef96b1b5aba
xsa55-4.2/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d78d3bcafaee8dae558a1e4bd86ead9903a22e6becb888b485eac6ddaabd4447
xsa55-4.2/0012-libelf-Make-all-callers-call-elf_check_broken.patch
23b98f94176bd4205c3a337855f15c74499799419e4368a81470d62e24983f4e
xsa55-4.2/0013-libelf-use-C99-bool-for-booleans.patch
08184c337fc9aea46e7bd1e476e0c40bf8d24cc319132bdc59e29e1e185f10fd
xsa55-4.2/0014-libelf-use-only-unsigned-integers.patch
d88033e2d63a0f12d9acc1ade5cb420f6fd8f56a46237d86b40706750e1181e9
xsa55-4.2/0015-libelf-check-loops-for-running-away.patch
62a3811bdea007d9083199d7a101932a4eaaffba07999a8b841bf35718e33b08
xsa55-4.2/0016-libelf-abolish-obsolete-macros.patch
e68c4d3a5f81f4511b605b0a31af1a6316e75eef0f876a8e4fbacffbd33a3bc3
xsa55-unstable/0001-libelf-abolish-libelf-relocate.c.patch
b735bed4a919001c8f0e94285e84435bacc6ce51107b1d78d5d2f54827f7dd0e
xsa55-unstable/0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
7102467603f1d7bc577421e5087cb90186bb2f7e7b412f849b5fa28be2d9db8a
xsa55-unstable/0003-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
bcb2b79864cdb6827376f521275c0e1327c9347f898b28b76346ff6309f89a0f
xsa55-unstable/0004-libelf-abolish-elf_sval-and-elf_access_signed.patch
3bca1907fec2a3a233511980070a712d6052c3f17d5d1c1b21f808a09edf839b
xsa55-unstable/0005-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
0bc3be2ace08cbf5bc9e80273486eae7ca78cb0b0967bdf6bb6a979aee6950bc
xsa55-unstable/0006-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
e93fef15ec83f098fe52d5c093bf3d6d1d520e588e71a47b94596a2031a6b4b4
xsa55-unstable/0007-libelf-introduce-macros-for-memory-access-and-pointe.patch
620c5606749f4f0b4fa0f24bdace3d8ad2dcc5c5ae86144e1b70fdfee9abdea1
xsa55-unstable/0008-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
789679f20e4836fe0de903ed6f49de0329a2438e5533a88011327e051eece671
xsa55-unstable/0009-libelf-check-nul-terminated-strings-properly.patch
b0c3305b67c63c9cc05d28cf2a367af41aa01911be04d9dd37dfa62a504a99fc
xsa55-unstable/0010-libelf-check-all-pointer-accesses.patch
abe0993e06d907d46883425025126be114d9464a0c10ae4cb50efffb8e74f30a
xsa55-unstable/0011-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
d93a31551d8052bf488217b1c9836b9e2a47f115673469e33f950465ca516631
xsa55-unstable/0012-libelf-Make-all-callers-call-elf_check_broken.patch
686c4f29ec5f2fc567d7490d5391008bd399eb260274d9a4c49eae66670ed835
xsa55-unstable/0013-libelf-use-C99-bool-for-booleans.patch
2652866b241e69be4dcea49c4798fdcf1e78cf31da93b49381f2b256a6d921b8
xsa55-unstable/0014-libelf-use-only-unsigned-integers.patch
b487e09440cd36ebc1c58ec229eb89ead3b93368c2f1716781bab953bab3baca
xsa55-unstable/0015-libelf-check-loops-for-running-away.patch
217820c0ab0aef6eba23ee4b8a83d0bbffe7675f4cd7d907e1cc3b14840f609f
xsa55-unstable/0016-libelf-abolish-obsolete-macros.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRrMEnAAoJEIP+FMlX6CvZx08IAJb6mCuPzfb6OGwVT5QFEgre
en0IkexF4qvum9rYPxVfK9IrDizNAmqWoUZOdnhlts+PEKnx1F3G2/ahLY6bImqV
KgaEjNTZeUQwdoY7SrX9c8abC1GNXunJDVHYRBD/t6cxKbCzyAjbfvM6VxyW1GDg
EEBcNgHB8kisED3QurvY3q1yOPHqiC3pOfLD+JdRAbdU027dy4oKzzT6d17ajAIz
PuWfhGwHKgok2Gn7xPs1Q194OnqnFqA4VTMW/TYdXv7vs+Sr+0O5//5wRdYo1MrV
BViQbzI5FZQ3MYfde3qng9R460KAC1i2dNLxrwpWMfGFTefUiHaJfAKT4SCNCKs=
=1vKb
-----END PGP SIGNATURE-----